Consumers have understandably been concerned about their personal information and the ways businesses with interact with it. That concern has spawned a host of new legislation, not only in the United States, but around the globe. The recent passage of General Data Protection Regulation (GDPR) in the European Union gave consumers sweeping new rights regarding their personal information, including the requirement that they give their consent to the ways in which personal information is used. Now, new legislation in the state of California seeks to give similar rights and protections to the citizens of that state.
WHAT IS THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)?
What is the CCPA? In the U.S., among the more influential new pieces of consumer protection legislation is the California Consumer Privacy Act (CCPA), which becomes effective January 1st of next year. The new Act will impact awide range of businesses in the state—and its influence extends beyond California—already, 15 other states have introduced privacy legislation similar to California's. Although not as expansive as GDPR, the reach and impact of CCPA are substantial.
This is how CCPA is defined by Data Privacy Monitor:
"The California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect on January 1,2020…Among the many differences between the CCPA and existing U.S. privacy legislation, the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law. In addition, the CCPA introduces new privacy rights for Californians, such as the right to know what personal information a business has collected about them, details on how the business uses and discloses the data, and the right to request that the business delete that information."
WHAT ARE THE MAIN PROVISIONS OF CCPA?
Under CCPA, a business is required to disclose what personal information it collects whenever a consumer makes a "verifiable request". In those circumstances, the business must disclose:
- What categories of personal information they've collected
- The sources from which the information was collected
- The reason they collected the information
- Any third parties with whom they've shared the information
- The specific information that was collected
- Any information that was sold to a third party
In addition to these requirements, businesses will be obligated to delete personal information they've collected if a consumer requests they do so—and they can't discriminate against consumers who make such requests. Finally, if a business intends to sell consumers' personal information, they will be required to disclose that fact, and to give consumers the right to "opt out" of the sale of their personal information.
WHAT ARE THE PENALTIES FOR VIOLATIONS OF CCPA?
Companies that violate the provisions of CCPA are subject to an injunction and for civil penalties of no more than $2,500 for each violation. If the violation is judged to be "intentional," the fine increases to $7,500 for each violation.
Also, consumers can bring a civil action against the business. The amount they can recoup is not less than $100 or more than $750—or "actual damages" (as interpreted by the court), whichever amount is greater.
DO THE PROVISIONS OF CCPA APPLY TO ALL ECOMMERCE BUSINESSES IN CALIFORNIA?
Not every eCommerce business in California will be substantially impacted by the new legislation. The major provisions of CCPA will however apply to any business (including any eCommerce business) in California if any of the following conditions is true:
- Your eCommerce business has gross annual revenues of greater than $25 million
- You buy, sell, receive or share for commercial purposes personal information for 50,000 or more consumers, households or devices in the state
- You get 50% or more of your annual revenues from selling consumers' personal information in California
- An explanation of consumer rights with regard to CCPA
- A description of the categories of personal information you've collected in the previous year
- The business purpose of the information that was collected
- All categories of personal information that you sold or disclosed for business purposes in the previous year
- Categories of third parties that you shared personal information with
- A link to an "opt-out" tool labeled "do not sell my personal information"
- Any financial incentives you've given for consumers to share personal information (for example, giving a discount in exchange for an email address)
- At least 2 ways consumers can request information, including a website URL and a toll-free number
WHAT STEPS SHOULD MY BUSINESS BEGIN TAKING NOW TO PREPARE FOR CCPA?
Many businesses are understandably taking a "wait and see" approach in case the provisions of CCPA are changed before its official roll out on January 1 of next year. There is however a high likelihood that some CCPA regulations will almost certainly be included in the final legislation. That means there are proactive steps your business should be taking now to prepare for CCPA, including the following:
- Build a data inventory: Creating a data inventory (or data flow map) will help you understand the several ways in which you currently obtain personal information for your business, as well as the types of information you collect, share or sell and the purposes for which you do so.
- Identify all vendors and other third parties you share personal information with: You'll also need to take a close look at the contracts you have with these third parties regarding compliance with the new law—CCPA has complicated rules for any party with whom you share personal information.
- Test your business's preparedness: One of the best ways to find out where there are gaps in current processes and procedures is a dry run. This will tell you how prepared you are to respond to consumer requests and to quickly find the personal information (or answers to questions) the consumer has asked for.
- Make sure your customer data is secure: Although CCPA doesn't specifically change existing laws regarding data security, it does include a "private cause of action" provision which could increase statutory penalties for security incidents and data breaches that negatively impact your customers.
The bottom line is this: CCPA will become the law of the land starting in January. Its provisions are, for the most part, straightforward and unequivocal—and the penalties for violations of the CCPA could be damaging to your eCommerce business. To be prepared, study the new legislation carefully, get legal advice if you need to and take prudent action now to ensure that your business will be fully compliant.